04-27-2009 02:36 AM - edited 02-21-2020 03:25 AM
Hi - When configuring static NAT, the configuration guide states that you use the format 'static (inside,dmz)' where your connections are going to be initiated from the inside to the DMZ.
Access-lists permitting, will this allow connections to be initiated from the DMZ interface to inside?
What I'm trying to work out is does it make any difference if I use 'static (inside,dmz) or 'static (dmz,inside)'?
I have a requirement for traffic to be initiated in either direction between the inside and the DMZ, can I do this with one static NAT translation or do I need 2 - one for each direction.
Many Thanks in advance
Dom
04-27-2009 02:56 AM
Dom,
If you have an (inside,dmz) and the traffic happens to initiate from dmz to inside - the PIX/ASA should know what to do for reverse NAT, as long as your ACL allows it of course!
HTH>
04-27-2009 06:37 AM
Dom
In addition to Andrew's post.
Static NAT is bi-directional so source IP and destination IP are relative to the inside and dmz interfaces of the firewall.
So
static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255
means
1) traffic from a source IP on the inside of 10.10.10.40 will be natted to 192.168.2.40 as it leaves the dmz interface of the firewall
2) traffic from the dmz with a destination IP address of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the inside interfade of the firewall
static (dmz,inside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255
means
1) traffic from the inside with a destination IP of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the dmz interface of the firewall
2) traffic from the dmz with a source IP address of 10.10.10.40 will translated to 192.168.2.40 as it leaves the inside interface of the firewall.
Jon
04-29-2009 02:23 AM
Hi Jon,Andrew,
Thanks for your replies
I understand the syntax and what they mean, I'm trying to work out if it matters if you use ;
static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255
or
static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255
Do you always base it on where the traffic is going to be originated from? eg if I use
static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255
Will that also allow connection to be established from inside to DMZ as well as from DMZ to inside?
If I have a situation whereby traffic is going to be initiated in both directions, do I need two translations?
Cheers, Dom
04-29-2009 02:53 AM
Dom
I understand the syntax and what they mean, I'm trying to work out if it matters if you use ;
static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255
or
static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255
With the greatest respect i'm not sure you do understand the syntax because the 2 statements do not do the same thing ie.
1) static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255
means present an inside address of 10.10.10.40 as 192.168.2.40 to the DMZ.
so traffic from inside source address of 10.10.10.40 to the DMZ will be translated to source address of 192.168.2.40 when it arrives on the DMZ
AND
traffic sent to the destination address of 192.168.2.40 from the DMZ will be translated to 10.10.10.40 when it arrives on the inside.
2) static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255
means present the DMZ destination address of 192.168.2.40 as 10.10.10.40 to the inside
so traffic from any inside source address with a destination address of 10.10.10.40 will have the destination address changed to 192.168.2.40 as it arrives on the DMZ. But note this is the destination address not the source address
AND
traffic from a source IP address of 192.168.2.40 on the DMZ will have the source IP address changed to 10.10.10.40 when it arrives on the inside. Again note this is the source not the destination address.
"If I have a situation whereby traffic is going to be initiated in both directions, do I need two translations?"
No because as already stated static NAT is bi-directional which means traffic can be initiated from either direction and the one static NAT statement will take care of it.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide